By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

1. Run latest version of DNS Ensure your DNS servers are running the latest version of DNS software: BIND 9.2.x or MS Windows 2003

3. Use forwarders, if possible Have your internal name servers forward all non-authoritative queries to a set of forwarders and ensure that the forwarders are upgraded (latest version of DNS software) and locked down (only allow recursive queries from internal addresses). This allows you to limit which DNS servers actually have contact with the Internet.

4. Split your external authoritative name servers and forwarders, if possible External authoritative name servers need to accept queries from almost any address, but forwarders don't (they should be configured to accept queries from internal addresses only). Additionally, external authoritative name servers should have recursion disabled entirely.

5. Make use of firewall services Use firewall services at both the network perimeter and on the DNS servers themselves. Limit access to only those ports/services that are required for DNS functionality.

Here are some best practices to minimize cache poisoning risk (there may be some overlap with the above):

Separate external and internal name servers (physically separate machines or run BIND views)

E-Handbook

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy